1FIREWALL-OFFLINE-C(1) firewall-offline-cmd FIREWALL-OFFLINE-C(1)
2
6 firewall-offline-cmd - firewalld offline command line client
7
9 firewall-offline-cmd [OPTIONS...]
10
12 firewall-offline-cmd is an offline command line client of the firewalld
13 daemon. It should be used only if the firewalld service is not running.
14 For example to migrate from system-config-firewall/lokkit or in the
15 install environment to configure firewall settings with kickstart.
16 Some lokkit options can not be automatically converted for firewalld,
18 they will result in an error or warning message. This tool tries to
19 convert as much as possible, but there are limitations for example with
20 custom rules, modules and masquerading.
21 Check the firewall configuration after using this tool.
23
25 If no options are given, configuration from
26 /etc/sysconfig/system-config-firewall will be migrated.
27 Sequence options are the options that can be specified multiple times,
29 the exit code is 0 if there is at least one item that succeeded. The
30 ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
31 errors are treated as succeeded. If there are issues while parsing the
32 items, then these are treated as warnings and will not change the
33 result as long as there is a succeeded one. Without any succeeded item,
34 the exit code will depend on the error codes. If there is exactly one
35 error code, then this is used. If there are more than one then
36 UNKNOWN_ERROR (254) will be used.
37 The following options are supported:
39 General Options
41 -h, --help
42 Prints a short help text and exists.
43 -V, --version
45 Prints the version string of firewalld and exits.
46 -q, --quiet
48 Do not print status messages.
49 --default-config
51 Path to firewalld default configuration. This usually defaults to
52 /usr/lib/firewalld.
53 --system-config
55 Path to firewalld system (user) configuration. This usually
56 defaults to /etc/firewalld.
57 Status Options
59 --enabled
60 Enable the firewall. This option is a default option and will
61 activate the firewall if not already enabled as long as the option
62 --disabled is not given.
63 --disabled
65 Disable the firewall by disabling the firewalld service.
66 --check-config
68 Run checks on the permanent (default and system) configuration.
69 This includes XML validity and semantics.
70 This is may be used with --system-config to check the validity of
72 handwritten configuration files before copying them to the standard
73 location.
74 Lokkit Compatibility Options
76 These options are nearly identical to the options of lokkit.
77 --migrate-system-config-firewall=file
79 Migrate system-config-firewall configuration from the given file.
80 No further
81 --addmodule=module
83 This option will result in a warning message and will be ignored.
84 Handling of netfilter helpers has been merged into services
86 completely. Adding or removing netfilter helpers outside of
87 services is therefore not needed anymore. For more information on
88 handling netfilter helpers in services, please have a look at
89 firewalld.zone(5).
90 --removemodule
92 This option will result in a warning message and will be ignored.
93 Handling of netfilter helpers has been merged into services
95 completely. Adding or removing netfilter helpers outside of
96 services is therefore not needed anymore. For more information on
97 handling netfilter helpers in services, please have a look at
98 firewalld.zone(5).
99 --remove-service=service
101 Remove a service from the default zone. This option can be
102 specified multiple times.
103 The service is one of the firewalld provided services. To get a
105 list of the supported services, use firewall-cmd --get-services.
106 -s service, --service=service
108 Add a service to the default zone. This option can be specified
109 multiple times.
110 The service is one of the firewalld provided services. To get a
112 list of the supported services, use firewall-cmd --get-services.
113 -p portid[-portid]:protocol, --port=portid[-portid]:protocol
115 Add the port to the default zone. This option can be specified
116 multiple times.
117 The port can either be a single port number or a port range
119 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
120 -t interface, --trust=interface
122 This option will result in a warning message.
123 Mark an interface as trusted. This option can be specified multiple
125 times. The interface will be bound to the trusted zone.
126 If the interface is used in a NetworkManager managed connection or
128 if there is an ifcfg file for this interface, the zone will be
129 changed to the zone defined in the configuration as soon as it gets
130 activated. To change the zone of a connection use
131 nm-connection-editor and set the zone to trusted, for an ifcfg
132 file, use an editor and add "ZONE=trusted". If the zone is not
133 defined in the ifcfg file, the firewalld default zone will be used.
134 -m interface, --masq=interface
136 This option will result in a warning message.
137 Masquerading will be enabled in the default zone. The interface
139 argument will be ignored. This is for IPv4 only.
140 --custom-rules=[type:][table:]filename
142 This option will result in a warning message and will be ignored.
143 Custom rule files are not supported by firewalld.
145 --forward-port=if=interface:port=port:proto=protocol[:toport=destination
147 port:][:toaddr=destination address]
148 This option will result in a warning message.
149 Add the IPv4 forward port in the default zone. This option can be
151 specified multiple times.
152 The port can either be a single port number portid or a port range
154 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
155 The destination address is an IP address.
156 --block-icmp=icmptype
158 This option will result in a warning message.
159 Add an ICMP block for icmptype in the default zone. This option can
161 be specified multiple times.
162 The icmptype is the one of the icmp types firewalld supports. To
164 get a listing of supported icmp types: firewall-cmd --get-icmptypes
165 Log Denied Options
167 --get-log-denied
168 Print the log denied setting.
169 --set-log-denied=value
171 Add logging rules right before reject and drop rules in the INPUT,
172 FORWARD and OUTPUT chains for the default rules and also final
173 reject and drop rules in zones for the configured link-layer packet
174 type. The possible values are: all, unicast, broadcast, multicast
175 and off. The default setting is off, which disables the logging.
176 This is a runtime and permanent change and will also reload the
178 firewall to be able to add the logging rules.
179 Zone Options
181 --get-default-zone
182 Print default zone for connections and interfaces.
183 --set-default-zone=zone
185 Set default zone for connections and interfaces where no zone has
186 been selected. Setting the default zone changes the zone for the
187 connections or interfaces, that are using the default zone.
188 --get-zones
190 Print predefined zones as a space separated list.
191 --get-services
193 Print predefined services as a space separated list.
194 --get-icmptypes
196 Print predefined icmptypes as a space separated list.
197 --get-zone-of-interface=interface
199 Print the name of the zone the interface is bound to or no zone.
200 --get-zone-of-source=source[/mask]|MAC|ipset:ipset
202 Print the name of the zone the source is bound to or no zone.
203 --info-zone=zone
205 Print information about the zone zone. The output format is:
206 zone
208 interfaces: interface1 ..
209 sources: source1 ..
210 services: service1 ..
211 ports: port1 ..
212 protocols: protocol1 ..
213 forward-ports:
214 forward-port1
215 ..
216 source-ports: source-port1 ..
217 icmp-blocks: icmp-type1 ..
218 rich rules:
219 rich-rule1
220 ..
221 --list-all-zones
225 List everything added for or enabled in all zones. The output
226 format is:
227 zone1
229 interfaces: interface1 ..
230 sources: source1 ..
231 services: service1 ..
232 ports: port1 ..
233 protocols: protocol1 ..
234 forward-ports:
235 forward-port1
236 ..
237 source-ports: source-port1 ..
238 icmp-blocks: icmp-type1 ..
239 rich rules:
240 rich-rule1
241 ..
242 ..
243 --new-zone=zone
247 Add a new permanent zone.
248 Zone names must be alphanumeric and may additionally include
250 characters: '_' and '-'.
251 --new-zone-from-file=filename [--name=zone]
253 Add a new permanent zone from a prepared zone file with an optional
254 name override.
255 --path-zone=zone
257 Print path of the zone configuration file.
258 --delete-zone=zone
260 Delete an existing permanent zone.
261 --zone=zone --set-description=description
263 Set new description to zone
264 --zone=zone --get-description
266 Print description for zone
267 --zone=zone --set-short=description
269 Set short description to zone
270 --zone=zone --get-short
272 Print short description for zone
273 --zone=zone --get-target
275 Get the target of a permanent zone.
276 --zone=zone --set-target=zone
278 Set the target of a permanent zone. target is one of: default,
279 ACCEPT, DROP, REJECT
280 default is similar to REJECT, but has special meaning in the
282 following scenarios:
283 1. ICMP explicitly allowed
285 At the end of the zone's ruleset ICMP packets are explicitly
287 allowed.
288 2. forwarded packets follow the target of the egress zone
290 In the case of forwarded packets, if the ingress zone uses
292 default then whether or not the packet will be allowed is
293 determined by the egress zone.
294 For a forwarded packet that ingresses zoneA and egresses zoneB:
296 · if zoneA's target is ACCEPT, DROP, or REJECT then the
298 packet is accepted, dropped, or rejected respectively.
299 · if zoneA's target is default, then the packet is accepted,
301 dropped, or rejected based on zoneB's target. If zoneB's
302 target is also default, then the packet will be rejected by
303 firewalld's catchall reject.
304 3. Zone drifting from source-based zone to interface-based zone
306 This only applies if AllowZoneDrifting is enabled. See
308 firewalld.conf(5).
309 If a packet ingresses a source-based zone with a target of
311 default, it may still enter an interface-based zone (including
312 the default zone).
313 Options to Adapt and Query Zones
316 Options in this section affect only one particular zone. If used with
317 --zone=zone option, they affect the zone zone. If the option is
318 omitted, they affect default zone (see --get-default-zone).
319 [--zone=zone] --list-all
321 List everything added for or enabled in zone. If zone is omitted,
322 default zone will be used.
323 [--zone=zone] --list-services
325 List services added for zone as a space separated list. If zone is
326 omitted, default zone will be used.
327 [--zone=zone] --add-service=service
329 Add a service for zone. If zone is omitted, default zone will be
330 used. This option can be specified multiple times.
331 The service is one of the firewalld provided services. To get a
333 list of the supported services, use firewall-cmd --get-services.
334 [--zone=zone] --remove-service-from-zone=service
336 Remove a service from zone. This option can be specified multiple
337 times. If zone is omitted, default zone will be used.
338 [--zone=zone] --query-service=service
340 Return whether service has been added for zone. If zone is omitted,
341 default zone will be used. Returns 0 if true, 1 otherwise.
342 [--zone=zone] --list-ports
344 List ports added for zone as a space separated list. A port is of
345 the form portid[-portid]/protocol, it can be either a port and
346 protocol pair or a port range with a protocol. If zone is omitted,
347 default zone will be used.
348 [--zone=zone] --add-port=portid[-portid]/protocol
350 Add the port for zone. If zone is omitted, default zone will be
351 used. This option can be specified multiple times.
352 The port can either be a single port number or a port range
354 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
355 [--zone=zone] --remove-port=portid[-portid]/protocol
357 Remove the port from zone. If zone is omitted, default zone will be
358 used. This option can be specified multiple times.
359 [--zone=zone] --query-port=portid[-portid]/protocol
361 Return whether the port has been added for zone. If zone is
362 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
363 [--zone=zone] --list-protocols
365 List protocols added for zone as a space separated list. If zone is
366 omitted, default zone will be used.
367 [--zone=zone] --add-protocol=protocol
369 Add the protocol for zone. If zone is omitted, default zone will be
370 used. This option can be specified multiple times. If a timeout is
371 supplied, the rule will be active for the specified amount of time
372 and will be removed automatically afterwards. timeval is either a
373 number (of seconds) or number followed by one of characters s
374 (seconds), m (minutes), h (hours), for example 20m or 1h.
375 The protocol can be any protocol supported by the system. Please
377 have a look at /etc/protocols for supported protocols.
378 [--zone=zone] --remove-protocol=protocol
380 Remove the protocol from zone. If zone is omitted, default zone
381 will be used. This option can be specified multiple times.
382 [--zone=zone] --query-protocol=protocol
384 Return whether the protocol has been added for zone. If zone is
385 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
386 [--zone=zone] --list-icmp-blocks
388 List Internet Control Message Protocol (ICMP) type blocks added for
389 zone as a space separated list. If zone is omitted, default zone
390 will be used.
391 [--zone=zone] --add-icmp-block=icmptype
393 Add an ICMP block for icmptype for zone. If zone is omitted,
394 default zone will be used. This option can be specified multiple
395 times.
396 The icmptype is the one of the icmp types firewalld supports. To
398 get a listing of supported icmp types: firewall-cmd --get-icmptypes
399 [--zone=zone] --remove-icmp-block=icmptype
401 Remove the ICMP block for icmptype from zone. If zone is omitted,
402 default zone will be used. This option can be specified multiple
403 times.
404 [--zone=zone] --query-icmp-block=icmptype
406 Return whether an ICMP block for icmptype has been added for zone.
407 If zone is omitted, default zone will be used. Returns 0 if true, 1
408 otherwise.
409 [--zone=zone] --list-forward-ports
411 List IPv4 forward ports added for zone as a space separated list.
412 If zone is omitted, default zone will be used.
413 For IPv6 forward ports, please use the rich language.
415 [--zone=zone]
417 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
418 Add the IPv4 forward port for zone. If zone is omitted, default
419 zone will be used. This option can be specified multiple times.
420 The port can either be a single port number portid or a port range
422 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
423 The destination address is a simple IP address.
424 For IPv6 forward ports, please use the rich language.
426 Note: IP forwarding will be implicitly enabled if toaddr is
428 specified.
429 [--zone=zone]
431 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
432 Remove the IPv4 forward port from zone. If zone is omitted, default
433 zone will be used. This option can be specified multiple times.
434 For IPv6 forward ports, please use the rich language.
436 [--zone=zone]
438 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
439 Return whether the IPv4 forward port has been added for zone. If
440 zone is omitted, default zone will be used. Returns 0 if true, 1
441 otherwise.
442 For IPv6 forward ports, please use the rich language.
444 [--zone=zone] --list-source-ports
446 List source ports added for zone as a space separated list. A port
447 is of the form portid[-portid]/protocol. If zone is omitted,
448 default zone will be used.
449 [--zone=zone] --add-source-port=portid[-portid]/protocol
451 Add the source port for zone. If zone is omitted, default zone will
452 be used. This option can be specified multiple times. If a timeout
453 is supplied, the rule will be active for the specified amount of
454 time and will be removed automatically afterwards.
455 The port can either be a single port number or a port range
457 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
458 [--zone=zone] --remove-source-port=portid[-portid]/protocol
460 Remove the source port from zone. If zone is omitted, default zone
461 will be used. This option can be specified multiple times.
462 [--zone=zone] --query-source-port=portid[-portid]/protocol
464 Return whether the source port has been added for zone. If zone is
465 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
466 [--zone=zone] --add-masquerade
468 Enable IPv4 masquerade for zone. If zone is omitted, default zone
469 will be used. Masquerading is useful if the machine is a router and
470 machines connected over an interface in another zone should be able
471 to use the first connection.
472 For IPv6 masquerading, please use the rich language.
474 Note: IP forwarding will be implicitly enabled.
476 [--zone=zone] --remove-masquerade
478 Disable IPv4 masquerade for zone. If zone is omitted, default zone
479 will be used.
480 For IPv6 masquerading, please use the rich language.
482 [--zone=zone] --query-masquerade
484 Return whether IPv4 masquerading has been enabled for zone. If zone
485 is omitted, default zone will be used. Returns 0 if true, 1
486 otherwise.
487 For IPv6 masquerading, please use the rich language.
489 [--zone=zone] --list-rich-rules
491 List rich language rules added for zone as a newline separated
492 list. If zone is omitted, default zone will be used.
493 [--zone=zone] --add-rich-rule='rule'
495 Add rich language rule 'rule' for zone. This option can be
496 specified multiple times. If zone is omitted, default zone will be
497 used.
498 For the rich language rule syntax, please have a look at
500 firewalld.richlanguage(5).
501 [--zone=zone] --remove-rich-rule='rule'
503 Remove rich language rule 'rule' from zone. This option can be
504 specified multiple times. If zone is omitted, default zone will be
505 used.
506 For the rich language rule syntax, please have a look at
508 firewalld.richlanguage(5).
509 [--zone=zone] --query-rich-rule='rule'
511 Return whether a rich language rule 'rule' has been added for zone.
512 If zone is omitted, default zone will be used. Returns 0 if true, 1
513 otherwise.
514 For the rich language rule syntax, please have a look at
516 firewalld.richlanguage(5).
517 Options to Handle Bindings of Interfaces
519 Binding an interface to a zone means that this zone settings are used
520 to restrict traffic via the interface.
521 Options in this section affect only one particular zone. If used with
523 --zone=zone option, they affect the zone zone. If the option is
524 omitted, they affect default zone (see --get-default-zone).
525 For a list of predefined zones use firewall-cmd --get-zones.
527 An interface name is a string up to 16 characters long, that may not
529 contain ' ', '/', '!' and '*'.
530 [--zone=zone] --list-interfaces
532 List interfaces that are bound to zone zone as a space separated
533 list. If zone is omitted, default zone will be used.
534 [--zone=zone] --add-interface=interface
536 Bind interface interface to zone zone. If zone is omitted, default
537 zone will be used.
538 [--zone=zone] --change-interface=interface
540 Change zone the interface interface is bound to to zone zone. If
541 zone is omitted, default zone will be used. If old and new zone are
542 the same, the call will be ignored without an error. If the
543 interface has not been bound to a zone before, it will behave like
544 --add-interface.
545 [--zone=zone] --query-interface=interface
547 Query whether interface interface is bound to zone zone. Returns 0
548 if true, 1 otherwise.
549 [--zone=zone] --remove-interface=interface
551 Remove binding of interface interface from zone zone. If zone is
552 omitted, default zone will be used.
553 Options to Handle Bindings of Sources
555 Binding a source to a zone means that this zone settings will be used
556 to restrict traffic from this source.
557 A source address or address range is either an IP address or a network
559 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
560 with the ipset: prefix. For IPv4, the mask can be a network mask or a
561 plain number. For IPv6 the mask is a plain number. The use of host
562 names is not supported.
563 Options in this section affect only one particular zone. If used with
565 --zone=zone option, they affect the zone zone. If the option is
566 omitted, they affect default zone (see --get-default-zone).
567 For a list of predefined zones use firewall-cmd --get-zones.
569 [--zone=zone] --list-sources
571 List sources that are bound to zone zone as a space separated list.
572 If zone is omitted, default zone will be used.
573 [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
575 Bind the source to zone zone. If zone is omitted, default zone will
576 be used.
577 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
579 Change zone the source is bound to to zone zone. If zone is
580 omitted, default zone will be used. If old and new zone are the
581 same, the call will be ignored without an error. If the source has
582 not been bound to a zone before, it will behave like --add-source.
583 [--zone=zone] --query-source=source[/mask]|MAC|ipset:ipset
585 Query whether the source is bound to the zone zone. Returns 0 if
586 true, 1 otherwise.
587 [--zone=zone] --remove-source=source[/mask]|MAC|ipset:ipset
589 Remove binding of the source from zone zone. If zone is omitted,
590 default zone will be used.
591 IPSet Options
593 --new-ipset=ipset --type=ipset type [--option=ipset option[=value]]
594 Add a new permanent ipset with specifying the type and optional
595 options.
596 ipset names must be alphanumeric and may additionally include
598 characters: '_' and '-'.
599 --new-ipset-from-file=filename [--name=ipset]
601 Add a new permanent ipset from a prepared ipset file with an
602 optional name override.
603 --delete-ipset=ipset
605 Delete an existing permanent ipset.
606 --info-ipset=ipset
608 Print information about the ipset ipset. The output format is:
609 ipset
611 type: type
612 options: option1[=value1] ..
613 entries: entry1 ..
614 --get-ipsets
618 Print predefined ipsets as a space separated list.
619 --ipset=ipset --add-entry=entry
621 Add a new entry to the ipset.
622 --ipset=ipset --remove-entry=entry
624 Remove an entry from the ipset.
625 --ipset=ipset --query-entry=entry
627 Return whether the entry has been added to an ipset. Returns 0 if
628 true, 1 otherwise.
629 --ipset=ipset --get-entries
631 List all entries of the ipset.
632 --ipset=ipset --add-entries-from-file=filename
634 Add a new entries to the ipset from the file. For all entries that
635 are listed in the file but already in the ipset, a warning will be
636 printed.
637 The file should contain an entry per line. Lines starting with an
639 hash or semicolon are ignored. Also empty lines.
640 --ipset=ipset --remove-entries-from-file=filename
642 Remove existing entries from the ipset from the file. For all
643 entries that are listed in the file but not in the ipset, a warning
644 will be printed.
645 The file should contain an entry per line. Lines starting with an
647 hash or semicolon are ignored. Also empty lines.
648 --ipset=ipset --set-description=description
650 Set new description to ipset
651 --ipset=ipset --get-description
653 Print description for ipset
654 --ipset=ipset --set-short=description
656 Set new short description to ipset
657 --ipset=ipset --get-short
659 Print short description for ipset
660 --path-ipset=ipset
662 Print path of the ipset configuration file.
663 Service Options
665 --info-service=service
666 Print information about the service service. The output format is:
667 service
669 ports: port1 ..
670 protocols: protocol1 ..
671 source-ports: source-port1 ..
672 helpers: helper1 ..
673 destination: ipv1:address1 ..
674 --new-service=service
678 Add a new permanent service.
679 Service names must be alphanumeric and may additionally include
681 characters: '_' and '-'.
682 --new-service-from-file=filename [--name=service]
684 Add a new permanent service from a prepared service file with an
685 optional name override.
686 --delete-service=service
688 Delete an existing permanent service.
689 --path-service=service
691 Print path of the service configuration file.
692 --service=service --set-description=description
694 Set new description to service
695 --service=service --get-description
697 Print description for service
698 --service=service --set-short=description
700 Set short description to service
701 --service=service --get-short
703 Print short description for service
704 --service=service --add-port=portid[-portid]/protocol
706 Add a new port to the permanent service.
707 --service=service --remove-port=portid[-portid]/protocol
709 Remove a port from the permanent service.
710 --service=service --query-port=portid[-portid]/protocol
712 Return wether the port has been added to the permanent service.
713 --service=service --get-ports
715 List ports added to the permanent service.
716 --service=service --add-protocol=protocol
718 Add a new protocol to the permanent service.
719 --service=service --remove-protocol=protocol
721 Remove a protocol from the permanent service.
722 --service=service --query-protocol=protocol
724 Return wether the protocol has been added to the permanent service.
725 --service=service --get-protocols
727 List protocols added to the permanent service.
728 --service=service --add-source-port=portid[-portid]/protocol
730 Add a new source port to the permanent service.
731 --service=service --remove-source-port=portid[-portid]/protocol
733 Remove a source port from the permanent service.
734 --service=service --query-source-port=portid[-portid]/protocol
736 Return wether the source port has been added to the permanent
737 service.
738 --service=service --get-source-ports
740 List source ports added to the permanent service.
741 --service=service --add-helper=helper
743 Add a new helper to the permanent service.
744 --service=service --remove-helper=helper
746 Remove a helper from the permanent service.
747 --service=service --query-helper=helper
749 Return wether the helper has been added to the permanent service.
750 --service=service --get-service-helpers
752 List helpers added to the permanent service.
753 --service=service --set-destination=ipv:address[/mask]
755 Set destination for ipv to address[/mask] in the permanent service.
756 --service=service --remove-destination=ipv
758 Remove the destination for ipv from the permanent service.
759 --service=service --query-destination=ipv:address[/mask]
761 Return wether the destination ipv to address[/mask] has been set in
762 the permanent service.
763 --service=service --get-destinations
765 List destinations added to the permanent service.
766 --service=service --add-include=service
768 Add a new include to the permanent service.
769 --service=service --remove-include=service
771 Remove a include from the permanent service.
772 --service=service --query-include=service
774 Return wether the include has been added to the permanent service.
775 --service=service --get-includes
777 List includes added to the permanent service.
778 Helper Options
780 Options in this section affect only one particular helper.
781 --info-helper=helper
783 Print information about the helper helper. The output format is:
784 helper
786 family: family
787 module: module
788 ports: port1 ..
789 The following options are only usable in the permanent configuration.
793 --new-helper=helper --module=nf_conntrack_module [--family=ipv4|ipv6]
795 Add a new permanent helper with module and optionally family
796 defined.
797 Helper names must be alphanumeric and may additionally include
799 characters: '-'.
800 --new-helper-from-file=filename [--name=helper]
802 Add a new permanent helper from a prepared helper file with an
803 optional name override.
804 --delete-helper=helper
806 Delete an existing permanent helper.
807 --load-helper-defaults=helper
809 Load helper default settings or report NO_DEFAULTS error.
810 --path-helper=helper
812 Print path of the helper configuration file.
813 --get-helpers
815 Print predefined helpers as a space separated list.
816 --helper=helper --set-description=description
818 Set new description to helper
819 --helper=helper --get-description
821 Print description for helper
822 --helper=helper --set-short=description
824 Set short description to helper
825 --helper=helper --get-short
827 Print short description for helper
828 --helper=helper --add-port=portid[-portid]/protocol
830 Add a new port to the permanent helper.
831 --helper=helper --remove-port=portid[-portid]/protocol
833 Remove a port from the permanent helper.
834 --helper=helper --query-port=portid[-portid]/protocol
836 Return wether the port has been added to the permanent helper.
837 --helper=helper --get-ports
839 List ports added to the permanent helper.
840 --helper=helper --set-module=description
842 Set module description for helper
843 --helper=helper --get-module
845 Print module description for helper
846 --helper=helper --set-family=description
848 Set family description for helper
849 --helper=helper --get-family
851 Print family description of helper
852 Internet Control Message Protocol (ICMP) type Options
854 --info-icmptype=icmptype
855 Print information about the icmptype icmptype. The output format
856 is:
857 icmptype
859 destination: ipv1 ..
860 --new-icmptype=icmptype
864 Add a new permanent icmptype.
865 ICMP type names must be alphanumeric and may additionally include
867 characters: '_' and '-'.
868 --new-icmptype-from-file=filename [--name=icmptype]
870 Add a new permanent icmptype from a prepared icmptype file with an
871 optional name override.
872 --delete-icmptype=icmptype
874 Delete an existing permanent icmptype.
875 --icmptype=icmptype --set-description=description
877 Set new description to icmptype
878 --icmptype=icmptype --get-description
880 Print description for icmptype
881 --icmptype=icmptype --set-short=description
883 Set short description to icmptype
884 --icmptype=icmptype --get-short
886 Print short description for icmptype
887 --icmptype=icmptype --add-destination=ipv
889 Enable destination for ipv in permanent icmptype. ipv is one of
890 ipv4 or ipv6.
891 --icmptype=icmptype --remove-destination=ipv
893 Disable destination for ipv in permanent icmptype. ipv is one of
894 ipv4 or ipv6.
895 --icmptype=icmptype --query-destination=ipv
897 Return whether destination for ipv is enabled in permanent
898 icmptype. ipv is one of ipv4 or ipv6.
899 --icmptype=icmptype --get-destinations
901 List destinations in permanent icmptype.
902 --path-icmptype=icmptype
904 Print path of the icmptype configuration file.
905 Direct Options
907 The direct options give a more direct access to the firewall. These
908 options require user to know basic iptables concepts, i.e. table
909 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
910 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
911 (ACCEPT/DROP/REJECT/...).
912 Direct options should be used only as a last resort when it's not
914 possible to use for example --add-service=service or
915 --add-rich-rule='rule'.
916 Warning: Direct rules behavior is different depending on the value of
918 FirewallBackend. See CAVEATS in firewalld.direct(5).
919 The first argument of each option has to be ipv4 or ipv6 or eb. With
921 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
922 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
923 --direct --get-all-chains
925 Get all chains added to all tables.
926 This option concerns only chains previously added with --direct
928 --add-chain.
929 --direct --get-chains { ipv4 | ipv6 | eb } table
931 Get all chains added to table table as a space separated list.
932 This option concerns only chains previously added with --direct
934 --add-chain.
935 --direct --add-chain { ipv4 | ipv6 | eb } table chain
937 Add a new chain with name chain to table table.
938 There already exist basic chains to use with direct options, for
940 example INPUT_direct chain (see iptables-save | grep direct output
941 for all of them). These chains are jumped into before chains for
942 zones, i.e. every rule put into INPUT_direct will be checked before
943 rules in zones.
944 --direct --remove-chain { ipv4 | ipv6 | eb } table chain
946 Remove the chain with name chain from table table.
947 --direct --query-chain { ipv4 | ipv6 | eb } table chain
949 Return whether a chain with name chain exists in table table.
950 Returns 0 if true, 1 otherwise.
951 This option concerns only chains previously added with --direct
953 --add-chain.
954 --direct --get-all-rules
956 Get all rules added to all chains in all tables as a newline
957 separated list of the priority and arguments.
958 --direct --get-rules { ipv4 | ipv6 | eb } table chain
960 Get all rules added to chain chain in table table as a newline
961 separated list of the priority and arguments.
962 --direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
964 Add a rule with the arguments args to chain chain in table table
965 with priority priority.
966 The priority is used to order rules. Priority 0 means add rule on
968 top of the chain, with a higher priority the rule will be added
969 further down. Rules with the same priority are on the same level
970 and the order of these rules is not fixed and may change. If you
971 want to make sure that a rule will be added after another one, use
972 a low priority for the first and a higher for the following.
973 --direct --remove-rule { ipv4 | ipv6 | eb } table chain priority args
975 Remove a rule with priority and the arguments args from chain chain
976 in table table.
977 --direct --remove-rules { ipv4 | ipv6 | eb } table chain
979 Remove all rules in the chain with name chain exists in table
980 table.
981 This option concerns only rules previously added with --direct
983 --add-rule in this chain.
984 --direct --query-rule { ipv4 | ipv6 | eb } table chain priority args
986 Return whether a rule with priority and the arguments args exists
987 in chain chain in table table. Returns 0 if true, 1 otherwise.
988 --direct --get-all-passthroughs
990 Get all permanent passthrough as a newline separated list of the
991 ipv value and arguments.
992 --direct --get-passthroughs { ipv4 | ipv6 | eb }
994 Get all permanent passthrough rules for the ipv value as a newline
995 separated list of the priority and arguments.
996 --direct --add-passthrough { ipv4 | ipv6 | eb } args
998 Add a permanent passthrough rule with the arguments args for the
999 ipv value.
1000 --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1002 Remove a permanent passthrough rule with the arguments args for the
1003 ipv value.
1004 --direct --query-passthrough { ipv4 | ipv6 | eb } args
1006 Return whether a permanent passthrough rule with the arguments args
1007 exists for the ipv value. Returns 0 if true, 1 otherwise.
1008 Lockdown Options
1010 Local applications or services are able to change the firewall
1011 configuration if they are running as root (example: libvirt) or are
1012 authenticated using PolicyKit. With this feature administrators can
1013 lock the firewall configuration so that only applications on lockdown
1014 whitelist are able to request firewall changes.
1015 The lockdown access check limits D-Bus methods that are changing
1017 firewall rules. Query, list and get methods are not limited.
1018 The lockdown feature is a very light version of user and application
1020 policies for firewalld and is turned off by default.
1021 --lockdown-on
1023 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1024 whitelist when you enable lockdown you won't be able to disable it
1025 again with firewall-cmd, you would need to edit firewalld.conf.
1026 --lockdown-off
1028 Disable lockdown.
1029 --query-lockdown
1031 Query whether lockdown is enabled. Returns 0 if lockdown is
1032 enabled, 1 otherwise.
1033 Lockdown Whitelist Options
1035 The lockdown whitelist can contain commands, contexts, users and user
1036 ids.
1037 If a command entry on the whitelist ends with an asterisk '*', then all
1039 command lines starting with the command will match. If the '*' is not
1040 there the absolute command inclusive arguments must match.
1041 Commands for user root and others is not always the same. Example: As
1043 root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
1044 is be used on Fedora.
1045 The context is the security (SELinux) context of a running application
1047 or service. To get the context of a running application use ps -e
1048 --context.
1049 Warning: If the context is unconfined, then this will open access for
1051 more than the desired application.
1052 The lockdown whitelist entries are checked in the following order:
1054 1. context
1055 2. uid
1056 3. user
1057 4. command
1058 --list-lockdown-whitelist-commands
1060 List all command lines that are on the whitelist.
1061 --add-lockdown-whitelist-command=command
1063 Add the command to the whitelist.
1064 --remove-lockdown-whitelist-command=command
1066 Remove the command from the whitelist.
1067 --query-lockdown-whitelist-command=command
1069 Query whether the command is on the whitelist. Returns 0 if true, 1
1070 otherwise.
1071 --list-lockdown-whitelist-contexts
1073 List all contexts that are on the whitelist.
1074 --add-lockdown-whitelist-context=context
1076 Add the context context to the whitelist.
1077 --remove-lockdown-whitelist-context=context
1079 Remove the context from the whitelist.
1080 --query-lockdown-whitelist-context=context
1082 Query whether the context is on the whitelist. Returns 0 if true, 1
1083 otherwise.
1084 --list-lockdown-whitelist-uids
1086 List all user ids that are on the whitelist.
1087 --add-lockdown-whitelist-uid=uid
1089 Add the user id uid to the whitelist.
1090 --remove-lockdown-whitelist-uid=uid
1092 Remove the user id uid from the whitelist.
1093 --query-lockdown-whitelist-uid=uid
1095 Query whether the user id uid is on the whitelist. Returns 0 if
1096 true, 1 otherwise.
1097 --list-lockdown-whitelist-users
1099 List all user names that are on the whitelist.
1100 --add-lockdown-whitelist-user=user
1102 Add the user name user to the whitelist.
1103 --remove-lockdown-whitelist-user=user
1105 Remove the user name user from the whitelist.
1106 --query-lockdown-whitelist-user=user
1108 Query whether the user name user is on the whitelist. Returns 0 if
1109 true, 1 otherwise.
1110 Policy Options
1112 --policy-server
1113 Change Polkit actions to 'server' (more restricted)
1114 --policy-desktop
1116 Change Polkit actions to 'desktop' (less restricted)
1117
1119 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1120 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1121 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1122 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1123 firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
1124 firewalld.helper(5)
1125
1127 firewalld home page:
1128 http://firewalld.org
1129 More documentation with examples:
1131 http://fedoraproject.org/wiki/FirewallD
1132
1134 Thomas Woerner <twoerner@redhat.com>
1135 Developer
1136 Jiri Popelka <jpopelka@redhat.com>
1138 Developer
1139 Eric Garver <eric@garver.life>
1141 Developer
1142firewalld 0.8.6 FIREWALL-OFFLINE-C(1)